ZPA Posture Check - Azure AD Joined

Posture Check to allow Azure AD joined domains.

When using the posture check to see if a device is “domain joined” it does not work for devices that are joined to Azure AD.

However we can search based on Regex Path, as Azure AD joined devices will have the following path:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\ {TENANT_ID}\

Create a new device posture profile (Administration > Device Posture), then select the following:

  • Posture Type: Registry Key
  • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\ {TENANT_ID}\
  • Match Type: Path

Once configured, this can be applied to ZPA policies.

Non-Azure AD Joined:

By typing “dsregcmd /status”, you can see what the device status is - which in this case is not joined to Azure AD or any other domain.

We can also look at the registry to confirm there is no entry.

This means when this device goes via ZPA it will not be able to pass this posture check. This can be viewed from the diagnostics page under the “User Meta Data”

Then you can view the device posture. In this case it’s not verified.

Azure AD Joined:

By using a device joined to Azure AD we can see different results.

Output from “dsregcmd /status” - which shows its only Azure AD joined.

When I view the logs from ZPA, I can see that the Reg Key posture check is valid for the Azure AD joined device.

6 Likes

@aduncan Thank you for sharing this. I was trying to do something similar for Intune Managed devices.
get-itemproperty ‘HKLM:\SOFTWARE\Microsoft\Enrollments*’ | Format-List -property UPN
But wildcards are not ideal :wink:

Thanks to your post the AAD Joined posture is up and running. Here’s hoping machine tunnel will support this soon :slight_smile:

1 Like

You could edit the Manifest for the Azure AD ZPA Application to return the device trust and apply policy based on that.
Go to Azure AD → App registrations, and search “All Applications” for the one you’ve configured.

You can select Optional Claims and add is_device_managed. It put’s a flag next to it saying it won’t be returned, but this would only apply for unmanaged devices.

If you look at the Manifest, you can see the optionalCliams for SAML2. It should look like this.
“optionalClaims”: {
“idToken”: ,
“accessToken”: ,
“saml2Token”: [
{
“name”: “is_device_managed”,
“source”: null,
“essential”: true,
“additionalProperties”:
}
]
}

AAD will send an attribute back to ZPA, which you can use to base policy on.

http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged : True

1 Like